maximum 1 year validity for digicert

2020-08-11 18:02:42 -07:00 · 2020-08-11 18:02:42 -07:00 · d7ca1570be
parent bde2829e72
commit d7ca1570be
2 changed files with 12 additions and 17 deletions
--- a/lemur/plugins/lemur_digicert/plugin.py
+++ b/lemur/plugins/lemur_digicert/plugin.py
@ -61,18 +61,16 @@ def signature_hash(signing_algorithm):


 def determine_validity_years(years):
-    """Given an end date determine how many years into the future that date is.
-    :param years:
-    :return: validity in years
    """
-    default_years = current_app.config.get("DIGICERT_DEFAULT_VALIDITY", 1)
-    max_years = current_app.config.get("DIGICERT_MAX_VALIDITY", default_years)
+    Considering maximum allowed certificate validity period of 398 days, this method should not return
+    more than 1 year of validity. Thus changing it to return 1.
+    Lemur will change this method in future to handle validity in months (determine_validity_months)
+    instead of years. This will allow flexibility to handle short-lived certificates.

-    if years > max_years:
-        return max_years
-    if years not in [1, 2, 3]:
-        return default_years
-    return years
+    :param years:
+    :return: 1
+    """
+    return 1


 def determine_end_date(end_date):
--- a/lemur/plugins/lemur_digicert/tests/test_digicert.py
+++ b/lemur/plugins/lemur_digicert/tests/test_digicert.py
@ -14,8 +14,6 @@ def config_mock(*args):
        "DIGICERT_ORG_ID": 111111,
        "DIGICERT_PRIVATE": False,
        "DIGICERT_DEFAULT_SIGNING_ALGORITHM": "sha256",
-        "DIGICERT_DEFAULT_VALIDITY": 1,
-        "DIGICERT_MAX_VALIDITY": 2,
        "DIGICERT_CIS_PROFILE_NAMES": {"digicert": 'digicert'},
        "DIGICERT_CIS_SIGNING_ALGORITHMS": {"digicert": 'digicert'},
    }
@ -24,10 +22,9 @@ def config_mock(*args):

@patch("lemur.plugins.lemur_digicert.plugin.current_app")
 def test_determine_validity_years(mock_current_app):
-    mock_current_app.config.get = Mock(return_value=2)
    assert plugin.determine_validity_years(1) == 1
-    assert plugin.determine_validity_years(0) == 2
-    assert plugin.determine_validity_years(3) == 2
+    assert plugin.determine_validity_years(0) == 1
+    assert plugin.determine_validity_years(3) == 1


@patch("lemur.plugins.lemur_digicert.plugin.current_app")
@ -52,7 +49,7 @@ def test_map_fields_with_validity_years(mock_current_app):
            "owner": "bob@example.com",
            "description": "test certificate",
            "extensions": {"sub_alt_names": {"names": [x509.DNSName(x) for x in names]}},
-            "validity_years": 2
+            "validity_years": 1
        }
        expected = {
            "certificate": {
@ -62,7 +59,7 @@ def test_map_fields_with_validity_years(mock_current_app):
                "signature_hash": "sha256",
            },
            "organization": {"id": 111111},
-            "validity_years": 2,
+            "validity_years": 1,
        }
        assert expected == plugin.map_fields(options, CSR_STR)